for acl checking. There is no risk of giving away such values;
they are only used to check permissions.
- bindpw <plaintext password for ac purposes>
+ bindpw <password for ac purposes>
This directive sets the password for acl checking in conjunction
with the above mentioned "binddn" directive.
+ pseudorootdn <substitute dn in case of rootdn bind>
+
+This directive, if present, sets the dn that will be substituted
+to the bind dn if a bind with the backend's "rootdn" succeeds. The true
+"rootdn" of the target server ought not be used; an arbitrary administrative
+dn should used instead.
+
+ pseudorootpw <substitute password in case of rootdn bind>
+
+This directive sets the credential that will be used in case a bind
+with the backend's "rootdn" succeeds, and the bind is propagated to
+the target using the "pseudorootdn" dn.
+
rewrite* ...
suffixmassage <virtual naming context> <real naming context>
* of course only one target actually is ...
*/
int bound_target;
+#define META_BOUND_NONE -1
+#define META_BOUND_ALL -2
/* supersedes the connection stuff */
struct metasingleconn **conns;
};
char *binddn;
char *bindpw;
+ char *pseudorootdn;
+ char *pseudorootpw;
+
struct rewrite_info *rwinfo;
struct ldapmap oc_map;
struct metaconn *lc,
const char *dn,
const char *ndn,
- struct berval *cred,
+ const char *cred,
int method,
int candidate
);
#define META_OP_ALLOW_MULTIPLE 0x00
#define META_OP_REQUIRE_SINGLE 0x01
+#define META_OP_REQUIRE_ALL 0x02
extern struct metaconn *
meta_back_getconn(
struct metainfo *li,
struct metainfo *li = ( struct metainfo * )be->be_private;
struct metaconn *lc;
- int rc = -1, i, gotit = 0, ndnlen, err = LDAP_SUCCESS;
+ int rc = -1, i, gotit = 0, ndnlen, isroot = 0;
+ int op_type = META_OP_ALLOW_MULTIPLE;
+ int err = LDAP_SUCCESS;
+
+ char *realdn = (char *)dn;
+ char *realndn = (char *)ndn;
+ char *realcred = cred->bv_val;
+ int realmethod = method;
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ENTRY,
*edn = NULL;
- lc = meta_back_getconn( li, conn, op, META_OP_ALLOW_MULTIPLE,
- ndn, NULL );
+ if ( method == LDAP_AUTH_SIMPLE
+ && be_isroot_pw( be, conn, ndn, cred ) ) {
+ isroot = 1;
+ *edn = ch_strdup( be_root_dn( be ) );
+ op_type = META_OP_REQUIRE_ALL;
+ }
+ lc = meta_back_getconn( li, conn, op, op_type, ndn, NULL );
if ( !lc ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_NOTICE,
/*
* Each target is scanned ...
*/
- lc->bound_target = -1;
+ lc->bound_target = META_BOUND_NONE;
ndnlen = strlen( ndn );
for ( i = 0; i < li->ntargets; i++ ) {
int lerr;
#endif /* !NEW_LOGGING */
}
-
- lerr = meta_back_do_single_bind( li, lc, dn, ndn, cred,
- method, i );
+ if ( isroot && li->targets[ i ]->pseudorootdn != NULL ) {
+ realdn = li->targets[ i ]->pseudorootdn;
+ realndn = li->targets[ i ]->pseudorootdn;
+ realcred = li->targets[ i ]->pseudorootpw;
+ realmethod = LDAP_AUTH_SIMPLE;
+ }
+
+ lerr = meta_back_do_single_bind( li, lc,
+ realdn, realndn, realcred, realmethod, i );
if ( lerr != LDAP_SUCCESS ) {
err = lerr;
( void )meta_clear_one_candidate( lc->conns[ i ], 1 );
}
}
+ if ( isroot ) {
+ lc->bound_target = META_BOUND_ALL;
+ }
+
/*
* rc is LDAP_SUCCESS if at least one bind succeeded,
* err is the last error that occurred during a bind;
*/
err = ldap_back_map_result( err );
send_ldap_result( conn, op, err, NULL, "", NULL, NULL );
+ return -1;
}
return 0;
struct metaconn *lc,
const char *dn,
const char *ndn,
- struct berval *cred,
+ const char *cred,
int method,
int candidate
)
return LDAP_OPERATIONS_ERROR;
}
- rc = ldap_bind_s( lc->conns[ candidate ]->ld, mdn,
- cred->bv_val, method );
+ rc = ldap_bind_s( lc->conns[ candidate ]->ld, mdn, cred, method );
if ( rc != LDAP_SUCCESS ) {
rc = ldap_back_map_result( rc );
} else {
struct metasingleconn **lsc;
int bound = 0, i;
+ /*
+ * all the targets are bound as pseudoroot
+ */
+ if ( lc->bound_target == META_BOUND_ALL ) {
+ return 1;
+ }
+
for ( i = 0, lsc = lc->conns; lsc[ 0 ] != NULL; ++i, ++lsc ) {
int rc;
struct metaconn *lc;
struct metasingleconn **lsc;
char *match = NULL, *err = NULL, *mmatch = NULL;
- int candidates = 0, last = 0, i, count, rc, cres, rres;
+ int candidates = 0, last = 0, i, count, rc;
+ int cres = LDAP_SUCCESS, rres = LDAP_SUCCESS;
int *msgid;
lc = meta_back_getconn( li, conn, op, META_OP_ALLOW_MULTIPLE,
return 1;
}
li->targets[ i ]->bindpw = ch_strdup( argv[ 1 ] );
+
+ /* name to use as pseudo-root dn */
+ } else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) {
+ int i = li->ntargets-1;
+
+ if ( i < 0 ) {
+ fprintf( stderr,
+ "%s: line %d: need \"uri\" directive first\n",
+ fname, lineno );
+ }
+
+ if ( argc != 2 ) {
+ fprintf( stderr,
+ "%s: line %d: missing name in \"pseudorootdn <name>\" line\n",
+ fname, lineno );
+ return 1;
+ }
+ li->targets[ i ]->pseudorootdn = ch_strdup( argv[ 1 ] );
+
+ /* password to use as pseudo-root */
+ } else if ( strcasecmp( argv[ 0 ], "pseudorootpw" ) == 0 ) {
+ int i = li->ntargets-1;
+
+ if ( i < 0 ) {
+ fprintf( stderr,
+ "%s: line %d: need \"uri\" directive first\n",
+ fname, lineno );
+ }
+
+ if ( argc != 2 ) {
+ fprintf( stderr,
+ "%s: line %d: missing password in \"pseudorootpw <password>\" line\n",
+ fname, lineno );
+ return 1;
+ }
+ li->targets[ i ]->pseudorootpw = ch_strdup( argv[ 1 ] );
/* dn massaging */
} else if ( strcasecmp( argv[ 0 ], "suffixmassage" ) == 0 ) {
}
}
- lc->bound_target = -1;
+ lc->bound_target = META_BOUND_NONE;
return lc;
}
*candidate = i;
}
+ /*
+ * require all connections ...
+ */
+ } else if (op_type == META_OP_REQUIRE_ALL) {
+ for ( i = 0; i < li->ntargets; i++ ) {
+
+ /*
+ * The target is activated; if needed, it is
+ * also init'd
+ */
+ int lerr = init_one_conn( conn, op, li->targets[ i ],
+ vers, lc->conns[ i ] );
+ if ( lerr != LDAP_SUCCESS ) {
+
+ /*
+ * FIXME: in case one target cannot
+ * be init'd, should the other ones
+ * be tried?
+ */
+ ( void )meta_clear_one_candidate( lc->conns[ i ], 1 );
+ err = lerr;
+ continue;
+ }
+ }
+
/*
* if no unique candidate ...
*/
suffix "o=Foo Bar, c=US"
dncache-ttl forever
lastmod off
+rootdn "cn=root,o=Foo Bar,c=US"
+rootpw foo
uri "ldap://localhost:@PORT@/ou=People, dc=foo, o=Foo Bar, c=US"
+pseudorootdn "cn=Root, ou=People, dc=foo, dc=example, dc=com"
+pseudorootpw ldap
rewriteEngine on
rewriteContext default
rewriteRule "(.*)o=Foo Bar,[ ]?c=US" "%1dc=example, dc=com"
rewriteRule "(.*)member=([^)]+),o=Foo Bar,[ ]?c=US(.*)" "%1member=%2,dc=example,dc=com%3"
uri "ldap://localhost:@PORT@/ou=People, dc=bar, o=Foo Bar, c=US"
+pseudorootdn "cn=Root, ou=People, dc=bar, dc=example, dc=com"
+pseudorootpw ldap
rewriteEngine on
rewriteContext default
rewriteRule "(.*)o=Foo Bar,[ ]?c=US" "%1dc=example, dc=com"
projects / openldap / commitdiff